OPM hack could affect every government employee
The hack of the Office of Personnel Management (OPM) is much bigger than first reported and could impact every single federal government employeeReuters

The hugely embarrassing cyber attack against the US government which saw hackers steal sensitive personal details of federal employees is now thought to be much worse than first feared.

On 5 June the US government was rocked by revelations that the personnel details of up to four million employees may have been stolen from the Office of Personnel Management (OPM) in one of the highest profile cyber attacks in US history. One source estimates the figure could be nearer 14 million.

The government was quick to point the finger of blame at Chinese government hackers but it now appears as if the extent of the attack was many times the size originally reported.

According to officials at one of the largest unions representing federal employees, the personal information of every single federal employee working in government, along with retirees and former employees was compromised in an attack that now appears to have been on-going for up to a year -- much longer than the six months originally reported by the US government.

In a letter sent to OPM director Katherine Archuleta and obtained by the National Journal, the president of the American Federation of Government Employees (AFGE), David Cox alleges: "We believe that the Central Personnel Data File was the targeted database and that the hackers are now in possession of all personnel data for every federal employee, every federal retiree and up to one million former federal employees."

The AFGE, which represents 670,000 employees, has also criticised the 18 months credit monitoring and $1m (£650,000) liability insurance as "entirely inadequate" as compensation or protection from harm.

"Indefensible and outrageous"

The letter goes on to say the union believes the hackers have the social security numbers; military records and veterans' status information; addresses, dates of birth, job and pay history; health insurance, life insurance, and pension information; gender, race, union status and more.

It added that it understands the social security numbers of employees were not encrypted which it describes as a "cybersecurity failure that is indefensible and outrageous".

The claims made in the letter are backed up by a report from ABC which quotes US officials saying the data breach was "far deeper and potentially more problematic than publicly acknowledged".

The sources said an initial intrusion into OPM's systems happened more than a year ago and from there the hackers were able to move through four different "segments" of the internal systems undetected.

Einstein

The US government has invested heavily in an early detection system for cyber attacks called Einstein, but it completely failed to flag up the intrusion until it was far too late.

The OPM may not be the best known US government agency, but it is one of the most important as it handles the security clearances and employee records for 90% of all federal agency including the Department of Homeland Security (DHS), National Security Agency (NSA) and the Federal Bureau of Investigation (FBI).

OPM Secuity management audit
The audit of OPM in 2014 revealed multiple serious and on-going security holesOffice of Personnel Management

More than 50 government agencies send data to the OPM for storage and one of the biggest problems in ascertaining exactly how much data was compromised is that the OPM simply doesn't have a good handle on how much data it stores in the first place.

One security audit carried out in 2014 says the agency does not maintain "a comprehensive inventory of servers, databases, and network devices" indicating that accurately predicting just how much personal information was stolen is going to be tough.

Relative, friends and college roommates at risk

The sources speaking to ABC categorically dispute claims made by the OPM that details about "family members of employees were not affected" by the breach. It has been pointed out that some federal employees would have filled out a 127-page report called an SF-86 which asked them to give information about relatives, friends, and even college roommates.

The source said: "If the SF-86s associated with this hack were, in their entirety, part of the stolen information, then that would mean the potential release of a staggering amount of information, affecting an exponential amount of people."

The amount of information at risk is staggering and could date back over three decades.

Thomas Drake, the former NSA official who turned whistleblower, revealed that two of his former colleagues, retired since 2001, have been informed by the Department of Homeland Security that their information was compromised.

Drake added that law enforcement sources had revealed the total number of people affected could be as high as 14 million though the scope and scale of the breach was still unknown.

Officials have yet to comment on the latest claims.

Here is the letter from the American Federation of Government Employees to the OPM: